Be the first to like this
Zero-day vulnerabilities are gaining a prominent role in the modern-day intelligence, national security, and law enforcement operations. At the same time, trading vulnerability information or zero-day exploits is considered a risky ordeal. Players in the secretive zero-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.
To alleviate some of these problems, it was suggested to: 1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting; 2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and 3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.
This work presents the first results of an ongoing study on extortion and cooperation in zero-day markets through the lens of game theory.
The questions motivating this research are: a. Can the zero-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the zero-day trading strategies applicable to each scenario.
Learn which strategies allows to maximize the profits while trading zero-days in today's marketplaces. Find out how to avoid getting extorted by zero--day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the zero-day markets can achieve efficiency.
This work find application in a number of markets for vulnerability information and zero-day exploits. They range from over-the-counter zero-day trading, to boutique exploit providers offering zero-day vulnerabilities for a subscription fee, to service models for vulnerability research.